Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Steal Data Of 4.5 Million US Hospital Patients

Posted by Unknown on from the security-through-whoops dept.

itwbennett (1594911) writes Community Health Systems said the attack occurred in April and June of this year, but it wasn't until July that it determined the theft had taken place. Working with a computer security company, it determined the attack was carried out by a group based in China that used 'highly sophisticated malware' to attack its systems. The hackers got away with patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years. The stolen data did not include patient credit card, medical, or clinical information.

16 of 111 comments (clear)

  1. Re:Well I for one by The+Grim+Reefer · · Score: 4, Funny

    Yes, but think of all the new medical breakthroughs and publications that will be coming out of China in the next few years. ;-)

  2. why internet connected? by Anonymous Coward · · Score: 2, Informative

    What were such systems doing connected to the public internet?

    You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

    1. Re:why internet connected? by Sarten-X · · Score: 4, Insightful

      This is utterly ignorant.

      Many (if not most) healthcare providers in the US are affiliated with a larger organization, such as Community Health Systems. The branch offices need to have access to patient data from other affiliated providers, and given that this includes emergency rooms and other urgent-care facilities, the information must be available as quickly as possible. Physical separation is not a reasonable option.

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:why internet connected? by Sabbatic · · Score: 5, Insightful

      Kind of ignorant to assume that such information sharing, which is only about 25 years old, is so absolutely vital that anyone who questions it is foolish. I don't recall vast numbers of people dying in ER's across the country pre-internet as opposed to post. It's useful, no doubt, and saves some lives, but if the data can't be handled responsibly, it's reasonable to ask whether the benefit is worth the cost of exposing millions of people to massive breaches of privacy and risk of identity theft. In any event, since you have positioned yourself as knowledgable about emergent care, I can assume that you are fully aware that the quick life-and-death decisions in ER's happen more quickly than would allow for a read-through of someone's medical history. In fact, too much data has been shown to lead to more misdiagnoses in ER's.

    3. Re:why internet connected? by ColdWetDog · · Score: 2

      What were such systems doing connected to the public internet?

      You reap what you sew. Put a system on the internet that is a big enough target, and it WILL be owned. The safe approach is physical separation coupled with careful local access control to prevent USB-style attacks (though with physical separation it is hard for them to phone home again).

      They weren't on the 'public' Internet. They got hacked. Why was this stuff even on the network? Excellent question. The quick answer is that the hospital would like to get paid. So they have to create claims. Claims these days are electronic, little to no paper. The claims have to be sent from the hospital to the insurance companies -- through a network. And that network is .... the Internet.

      Yes. hospitals could just go back to point to point dialup but that's not very convenient. They most likely had firewalls and other fancy things to prevent this sort of thing from happening but got caught either mis configuring something or more likely, fooled some witless employee into divulging something they shouldn't have. And before you get all high and mighty about this sort of thing, stop and reflect that the next witless employee might well turn out to be you.

      --
      Faster! Faster! Faster would be better!
    4. Re:why internet connected? by chooks · · Score: 2

      In fact, too much data has been shown to lead to more misdiagnoses in ER's.

      Citation needed

      What type of data are you talking about? Lots of largely irrelevant lab data? (oh look...an elevated ESR!) Or is it historical data (Why yes Doctor, I do have a metal plate in my head. Is that bad for an MRI?)

      The clinical history is one of the most powerful diagnostic tools available. Even in the ED.

      --
      -- The Genesis project? What's that?
    5. Re:why internet connected? by jellomizer · · Score: 2

      You do not work in health care do you.

      So when you get registered at the Hospital. Your data will electronically get sent to the Electronic Medical Record system, which then will be sent to the Lab Systems, and back, Then all this data gets fed into a billing system which then needs to electronically send this data to the insurance company to be billed. Now we also new regulations called Meaningful Use, and one of them is the ability to Send Electronic Medical Data to the Patient in less then 72 hours of the request. To meet this requirement most places have setup a Patient Portal, where the Patient can Login via the Web and get their access.

      For proper treating of patients the data needs to get sent to professionals who needs it, they may be in different locations around the world.

      So the government is telling Health Care industries to lock down PHI and make it more Open at the same time.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. Re:yet another reason not to trust doctors by Tablizer · · Score: 2

    Well, your DIY lobotomy didn't turn out so well.

    --
    Table-ized A.I.
  4. Re:HIPAA Compliance by Anonymous Coward · · Score: 4, Informative

    That is a very common misunderstanding. HIPAA only applies to "covered entities." That includes healthcare clearninghouses, health plans, and healthcare providers that transmit your information electronically. For example, the hospital I work for accidentally put thousands of records on a public web site, but because we didn't at the time transmit that information electronically to others as a normal part of our business, it wasn't a HIPAA violation. Another example is a collection agency. HIPAA doesn't apply to them either. HIPAA only protects your information in a small number of the use cases.

  5. Re:Nice contrast.. by stephanruby · · Score: 2

    with the story about 'doctor visits' over Skype, and how many posters were railing against how they were afraid of eavesdropping/decrypting of their Skype conversations. Where are they now!

    These days, most of them are currently in China getting free medical advice and racking medical bills over Skype.

  6. Re:Well I for one by ShanghaiBill · · Score: 4, Insightful

    Your supposedly confidential records are not confidential.

    My name, address, and phone number are already public information, and in the phone book. The only "confidential" information they got was the SSN, and that should be fixed by making it illegal to use SSNs as authentication. I am required to disclose my SSN to employers, contractees, financial institutions, creditors, etc. It is ridiculous to then assume that mere knowledge of my SSN is "proof" that I am me.

  7. Re: Got SS number but by ShanghaiBill · · Score: 2

    This should warrant jail time.

    America already imprisons more people than any other country. Many states spend more on prisons than on higher education. If, in addition to criminals, we want to also imprison the merely incompetent, we will need ten times as many prison cells.

  8. VPNs don't solve this on their own by dutchwhizzman · · Score: 4, Interesting

    Disclosure: I'm a professional Penetration Tester

    We find plenty of this sort of setups at our customers. Customers set up VPNs, have a password policy and a virus scanner. They have firewalls and keep user policies restricted. Then we come and we trojan someone, or find a weak WiFi password or whatever we use to get a foothold inside their network all it takes is one little mistake and we're "in". Once we get there, we log keyboards, get password hashes from network or system memory and start to pivot all over the place. Usually, our software will trigger virus alerts, but staff doesn't react to those "in a timely fashion" and we get to keep going even though alarms are going off on several computers. We could cloak our malware and sometimes we do, but usually it's too much trouble and we get domain admin passwords within a few days and rule the network in such a way that admins wouldn't be able to get rid of us if we would rootkit and backdoor properly.

    It takes more than some policies and a VPN these days. You need IDS, proper procedures, layered security and skilled, motivated staff that knows how to deal with security incidents. You need properly trained and aware users that aren't afraid to admit they messed up and that have no problem reporting others doing wrong either. Don't trust on a single technical measure, but implement them all and make sure you test and train on a regular basis. Get a data classification policy and protect data according to that policy. That means that stuff like SSNs and anything that can be used for identity theft should get extra layers of protection and alerting implemented. If you don't do all this, a serious intruder will usually get what they want.

    --
    I was promised a flying car. Where is my flying car?
    1. Re:VPNs don't solve this on their own by JDG1980 · · Score: 4, Insightful

      You need properly trained and aware users

      In other words, we're doomed.

    2. Re:VPNs don't solve this on their own by jbmartin6 · · Score: 3, Informative

      I work the other side of this scenario, and while you are right for the most part (IDS technology sucks and should never be used) what you describe is an elaborate and costly setup that a minority of organizations could implement and even fewer could do effectively. It seems to me that a much more effective approach would be to limit the value (i.e. risk) of the information available to an attacker. Instead of taking extra measure to protect SSNs, ask if we even need to store them at all. I've seen a lot of incidents where I had to ask things like 'Why does this database have all this information in it when you only need three fields?' I'm not saying we should simply accept intrusion but vulnerability is infinite so moving to reduce the value of an intrusion to reduce the reward for attackers might be more effective than fruitlessly striving for perfect defense.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  9. Re:Well I for one by Aighearach · · Score: 2

    contractees should be given an EIN not a SSN.